1
00:00:06,400 --> 00:00:07,250
- [Instructor] Let's go over

2
00:00:07,250 --> 00:00:10,660
what is insecure direct object references

3
00:00:10,660 --> 00:00:13,220
and what is directory traversal

4
00:00:13,220 --> 00:00:15,460
or path traversal vulnerabilities.

5
00:00:15,460 --> 00:00:19,900
So let's start with insecure
direct object references

6
00:00:19,900 --> 00:00:22,990
and this is when an application
provides direct access

7
00:00:22,990 --> 00:00:26,290
to objects based on user-supplied input.

8
00:00:26,290 --> 00:00:28,260
So you can take advantage
of this vulnerability

9
00:00:28,260 --> 00:00:30,810
to bypass authorization

10
00:00:30,810 --> 00:00:34,120
and also access resources
on the systems directly

11
00:00:34,120 --> 00:00:35,280
like for example, you may be able

12
00:00:35,280 --> 00:00:37,580
to access a database record

13
00:00:37,580 --> 00:00:39,752
or files on the system

14
00:00:39,752 --> 00:00:42,880
and again, you can actually
bypass authorization

15
00:00:42,880 --> 00:00:45,240
and access resources directly

16
00:00:45,240 --> 00:00:48,900
by modifying the value of a parameter

17
00:00:48,900 --> 00:00:51,660
that is actually used to
directly point to an object.

18
00:00:51,660 --> 00:00:53,650
So let's take a look at an example

19
00:00:53,650 --> 00:00:56,690
of insecure direct
object reference in here.

20
00:00:56,690 --> 00:01:01,690
Basically, I have the WebGoat
vulnerable web application

21
00:01:01,800 --> 00:01:05,300
on the left and I have the OWASP ZAP

22
00:01:05,300 --> 00:01:08,480
or the Zed Attack Proxy on the right.

23
00:01:08,480 --> 00:01:12,040
So I'm navigating to Insecure
Direct Object Reference

24
00:01:12,040 --> 00:01:15,070
and by the way, actually
they provide a really good,

25
00:01:15,070 --> 00:01:16,890
probably even better explanation

26
00:01:16,890 --> 00:01:19,290
of what it is in the first page

27
00:01:19,290 --> 00:01:21,560
but I'm gonna navigate
to the second page here.

28
00:01:21,560 --> 00:01:23,260
I'm actually logged in already

29
00:01:23,260 --> 00:01:24,880
with the user called Tom

30
00:01:24,880 --> 00:01:26,550
and the password is actually cat

31
00:01:26,550 --> 00:01:28,770
but just for demonstration purposes,

32
00:01:28,770 --> 00:01:30,320
I'm gonna log in again.

33
00:01:30,320 --> 00:01:33,270
And then once I'm logged in,

34
00:01:33,270 --> 00:01:35,450
I navigate to the next page

35
00:01:35,450 --> 00:01:39,440
and in there, I will
click on the View Profile.

36
00:01:39,440 --> 00:01:40,572
Before I do that,

37
00:01:40,572 --> 00:01:45,572
I'm gonna start the proxy in
the OWASP ZAP attack proxy

38
00:01:47,430 --> 00:01:49,380
so the proxy function.

39
00:01:49,380 --> 00:01:51,730
So I'm actually clicking on that.

40
00:01:51,730 --> 00:01:56,466
Going back to WebGoat,
I click on View Profile

41
00:01:56,466 --> 00:01:57,718
and as you can actually see,

42
00:01:57,718 --> 00:02:00,446
I'm actually forwarding all the traffic

43
00:02:00,446 --> 00:02:03,511
or the packets actually to the web server

44
00:02:03,511 --> 00:02:07,810
and once I do that, I actually
navigate back to WebGoat

45
00:02:07,810 --> 00:02:11,350
in the OWASP ZAP proxy

46
00:02:11,350 --> 00:02:13,620
and under GET profile,

47
00:02:13,620 --> 00:02:16,520
if I go under the response,

48
00:02:16,520 --> 00:02:19,960
you actually see a user ID there

49
00:02:19,960 --> 00:02:21,940
that is not supposed to be displayed

50
00:02:21,940 --> 00:02:24,060
to a normal user.

51
00:02:24,060 --> 00:02:29,060
So you have a userId:
2342384 down on the right.

52
00:02:29,450 --> 00:02:32,450
So I'm actually gonna take a note of that

53
00:02:32,450 --> 00:02:34,404
because if I actually go back

54
00:02:34,404 --> 00:02:38,500
to the WebGoat vulnerable application

55
00:02:38,500 --> 00:02:41,960
and then I continue the exercise,

56
00:02:41,960 --> 00:02:46,960
I can go and then try to
predict an alternate path

57
00:02:48,590 --> 00:02:51,540
to the URL and probably get the contents

58
00:02:51,540 --> 00:02:54,010
or that user ID profile

59
00:02:54,010 --> 00:02:57,590
even if I'm not supposed
to be able to do so.

60
00:02:57,590 --> 00:03:01,990
So under the form that I have in here,

61
00:03:01,990 --> 00:03:05,870
I go to WebGoat/IDOR

62
00:03:05,870 --> 00:03:09,100
which is actually the
path that you saw earlier

63
00:03:09,100 --> 00:03:12,070
in the proxy.

64
00:03:12,070 --> 00:03:14,940
And then /profile

65
00:03:14,940 --> 00:03:18,540
and then after that, I'm
gonna put the user ID

66
00:03:18,540 --> 00:03:21,770
that we saw in the proxy.

67
00:03:21,770 --> 00:03:24,980
So once I do that, I click
Submit and there you go.

68
00:03:24,980 --> 00:03:29,200
Congratulations, you actually
have used an alternate URLs

69
00:03:29,200 --> 00:03:31,720
to view, in this case, our own profile

70
00:03:31,720 --> 00:03:33,860
but this type of example

71
00:03:33,860 --> 00:03:35,360
or these type of attacks

72
00:03:35,360 --> 00:03:39,140
can take place to obtain access

73
00:03:39,140 --> 00:03:40,480
to files on the systems,

74
00:03:40,480 --> 00:03:43,583
to obtain access to database
records and many others.

75
00:03:44,790 --> 00:03:49,000
Now that I have gone insecure
direct object references,

76
00:03:49,000 --> 00:03:53,330
let's go over what is directory
traversal vulnerabilities.

77
00:03:53,330 --> 00:03:56,220
So what are path traversal and basically,

78
00:03:56,220 --> 00:03:58,430
some folks actually call
it directory traversal,

79
00:03:58,430 --> 00:03:59,360
other ones call it path

80
00:03:59,360 --> 00:04:00,830
but it's basically the same thing

81
00:04:00,830 --> 00:04:03,870
and this is when a vulnerability
actually takes place

82
00:04:03,870 --> 00:04:06,040
in a web application that can allow you

83
00:04:06,040 --> 00:04:08,900
to actually access files and directories

84
00:04:08,900 --> 00:04:12,009
that are stored outside
of the web root folder.

85
00:04:12,009 --> 00:04:12,983
So you can actually exploit

86
00:04:12,983 --> 00:04:15,180
these path traversal vulnerabilities

87
00:04:15,180 --> 00:04:17,700
by manipulating variables

88
00:04:17,700 --> 00:04:21,880
that reference files with another name

89
00:04:21,880 --> 00:04:25,790
for the same attack which is
called a dot-dot-slash attack.

90
00:04:25,790 --> 00:04:28,260
So if you put a dot, a dot, slash

91
00:04:28,260 --> 00:04:29,547
and then you repeat that

92
00:04:29,547 --> 00:04:32,764
and you go back and try
to actually escape back

93
00:04:32,764 --> 00:04:35,690
out of the web root folder,

94
00:04:35,690 --> 00:04:38,460
you may be able to show the contents

95
00:04:38,460 --> 00:04:41,810
of all the files so let's
actually do that in here.

96
00:04:41,810 --> 00:04:43,660
And in this example,

97
00:04:43,660 --> 00:04:47,300
I'm actually using the Damn
Vulnerable Web Application

98
00:04:47,300 --> 00:04:49,600
and I go under File Inclusion.

99
00:04:49,600 --> 00:04:52,080
After actually I click on that,

100
00:04:52,080 --> 00:04:56,730
you see on the top that I
have the page=include.php file

101
00:04:58,353 --> 00:05:00,650
in there and in there,

102
00:05:00,650 --> 00:05:04,490
instead of actually putting the PHP file,

103
00:05:04,490 --> 00:05:08,960
I'm going to put the ../ several times.

104
00:05:08,960 --> 00:05:11,820
Try to escape out of the web root folder

105
00:05:11,820 --> 00:05:14,243
and list the contents of etc/passwd.

106
00:05:15,120 --> 00:05:16,550
So let's actually do that

107
00:05:16,550 --> 00:05:17,780
and send it to the server

108
00:05:17,780 --> 00:05:20,010
and see what actually
happens and there you go.

109
00:05:20,010 --> 00:05:23,225
You actually can see that all the entries

110
00:05:23,225 --> 00:05:26,260
in the etc/passwd file.

111
00:05:26,260 --> 00:05:30,250
So this actually can be a very
catastrophic vulnerability

112
00:05:30,250 --> 00:05:33,410
because it can allow you
either an authenticated

113
00:05:33,410 --> 00:05:35,327
or unauthenticated attacker

114
00:05:35,327 --> 00:05:39,130
to be able to retrieve
very sensitive information

115
00:05:39,130 --> 00:05:40,380
from the system.

116
00:05:40,380 --> 00:05:43,230
Now, you can also encode these type

117
00:05:43,230 --> 00:05:48,230
of messages to probably bypass
web application firewalls

118
00:05:48,840 --> 00:05:49,680
and some other ones

119
00:05:49,680 --> 00:05:52,740
that I'm actually showing
here different combinations

120
00:05:52,740 --> 00:05:55,650
of the encoding methodologies

121
00:05:55,650 --> 00:05:56,493
that you can actually do

122
00:05:56,493 --> 00:06:01,434
for demonstrating the dot-dot-slash.

123
00:06:01,434 --> 00:06:04,620
You can also use

124
00:06:04,620 --> 00:06:09,120
other operating system-specific
path structures depending

125
00:06:09,120 --> 00:06:12,420
on slash in Linux or back
slash in Windows depending

126
00:06:12,420 --> 00:06:13,421
on the environment

127
00:06:13,421 --> 00:06:16,649
and then, of course, list any files

128
00:06:16,649 --> 00:06:21,439
that you may get access to in the system.

129
00:06:21,439 --> 00:06:23,950
Now, there's a whole
bunch of best practices

130
00:06:23,950 --> 00:06:24,838
to actually prevent

131
00:06:24,838 --> 00:06:27,320
and mitigate directory
traversal vulnerabilities.

132
00:06:27,320 --> 00:06:29,016
The first one is actually to understand

133
00:06:29,016 --> 00:06:31,340
how the underlying operating system

134
00:06:31,340 --> 00:06:34,970
actually processes file
names provided by the user

135
00:06:34,970 --> 00:06:36,440
or an application.

136
00:06:36,440 --> 00:06:37,350
The second one is actually

137
00:06:37,350 --> 00:06:39,975
to never store sensitive
configuration files

138
00:06:39,975 --> 00:06:42,170
inside of a web root directory.

139
00:06:42,170 --> 00:06:43,468
That's a given.

140
00:06:43,468 --> 00:06:46,600
And also, to prevent user input

141
00:06:46,600 --> 00:06:49,620
when using the file system calls.

142
00:06:49,620 --> 00:06:52,540
So all those are best practices

143
00:06:52,540 --> 00:06:56,927
to mitigate the path
traversal vulnerabilities.